By

Howto: Using check_mk/WATO via ssh and jumphost

I thought I’d pen this down right here as it took me a bit to really figure this out.

Problem: I have some Hosts I would like to monitor but I cannot access them directly (VPN also isn’t an option in this case), so I would like to monitor them using SSH, some directly, some behind a jumphost.

 

Usually the check_mk uses xinetd listening on Port 6556 only limited by allow_from in xinetd config and maybe iptables. This is fine in a closed, trusted environment but not really over public networks.

We could now either use VPN or tunnel the port through ssh port forwarding, but I found it more convenient just using ssh as a datasource program.

Preparing the nodes

We surely won’t use passwords for this, but rather a key with very limited capabilities.

So, first go to the monitoring site (make sure to do this as the monitoring user) and create a key pair:

Don’t use a passphrase. Now append the public key to the authorized_keys file on the monitored nodes. I am using ansible for this:

This results in:

Now you can ssh to that node from the monitoring host using the key, you should then get the output of the check_mk_agent.

Fine.

Case 1: Directly accessible node

In WATO, go to Host & Service Parameters => Datasource Programs => Individual program call instead of agent access.

We give a simple name and the command line using the <IP> macro.

Some hosts have issues spawning a tty, so we omit that with -tt. I also had some issues with the host keys which afford disabling StrictHostKeyChecking.

I am using this rule for all monitored hosts, therefor I don’t need any rules set up. If you only want to apply these rules to single hosts, just add their names below, or better create a rule as shown in the jumphost example below.

Case 2: Nodes behind jumphost

We use the same approach with a jumphost, just adding that host in between.

We extend our ssh line by -J jump@jumphostMake sure that you don’t use the root account on the jump host!

If you are using an older or different version of SSH which doesn’t support the -J switch, you need to do it using the old style -W version.

As I only want specific nodes to be monitored using the jumphost, I created another choice in the networking host tags, so all Hosts tagged with “No ping possible” are monitored using the jumphost.

Now another issue arises: Ping fails, which means that all services are being monitored properly while the host has the status “down”. So we need to change that, too with another rule, also tagged with the same tag above.

Go to Host & Service Parameters => Monitoring Configuration => Host Check Command and add a new rule.

Switch the command from PING to Use the status of the Check_MK Agent and chose the correct host tag.

Done.

 

By

Accounting für PHPQstat

Unter https://github.com/zapalotta/PHPQstat gibt es eine neue Version von PHPQstat mit einer einfachen Accountingdarstellung…

Mehr später!

By

Mehr Dynamik!

Seit gerade eben hat mein Solarlogger noch mehr Dynamik! Man/Frau beachte den Stringplan …

By

Solarlogger galore!

So langsam nimmt mein Solarlogger Gestalt an, eine erste Version gibt’s nun schon mal zu sehen, sowohl in Action als auch auf GitHub…

http://solar.doerflinger.org

Screenshot_Solarlogger

https://github.com/zapalotta/SolarLogger

 

By

checkrestart für Nagios und Check_mk

Falls es jemanden interessiert: ich habe einen kleinen Wrapper für Nagios und Check_mk geschrieben, mit dem sich checkrestart sehr einfach ins Monitoring einbinden lässt…

https://github.com/zapalotta/scriptlets

check_checkrestart

Update: Juhu, jetzt auch auf Nagios Exchange.